Thanks for the explanation. Still trying to wrap my head around some of the aspects of the act. Not sure or you can speak to this or not.
You want nerd Brihard? 'Cause that's how you get nerd Brihard. Off we go...
1. Rv Bykovets recognized a meaningful privacy interest in linking an individual to online activity. If the SCC said there's significant privacy interest in connecting an online identifier to a real person why should police be able to get that information using the lower standard of reasonable suspicion instead of the higher standard of reasonable grounds to believe?
You're conflating two things into one.
Bykovets was a narrow ruling that a bare IP address on its own attracts a reasonable expectation of privacy. The practical impact has been that police who receive an unsolicited disclosure of an IP address from any third party as part of an offence could not simply use it. An IP address on its own can only be tracked back to an internet service provider. Where we see this impact the most in real life is where service providers like Discord detect child porn on their system, and they report it to the U.S. National Centre for Missing and Exploited Children. NCMEC is an NGO that takes these reports and forwards them to police all over the world. NCMEC will say 'Hey police, Discord reported that on Wednesday June 17th at 11:44 p.m., Discord user 'pedocreep' shared child porn. They were on IP address 123.45.67.89". Pre
Bykovets, police could look up that IP, see it came back to Bell, ask Bell to confirm they have records for that IP on that date, and then write a production order to Bell for the subscriber info for that IP on that date. Now, post
Bykovets, because the IP itself is considered to be subject to REP, now instead police have to save that disclosure, not use it or look at it, draft an Information to Obtain a production order
naming their own police service, and ordering the police service to disclose that report including the IP address to itself. It's an absurdity, and it adds significant time and burden to the early stages of the investigation. There's no way Parliament intended this, and the 'Unsolicited Provision of Information' amendment to C.C. 487.0195(3) addresses exactly this.
Subscriber information is a separate matter. Subscriber informaiton has already been subject to REP. Subscriber information would be if we wanted to identify the account subscriber for IP 123.45.67.89 on June 17th at 11:44 p.m. We'll get subscriber name, address, probably phone and email, and usernames/pseudonyms. At present we need a
General Production Order under S.487.014 to get this info. A GPO requires reasonable grounds to
believe an offence has been committed, that documents or data exist and are in the possession or control of a third party not under investigation, and that those documents or data will afford evidence. Bill C-22 is going to amend this to a reasonable grounds to
suspect threshold. RGS is not a new threshold; it already exists and is regularly applied in other contexts. For instance:
- I can get a 487.018 Production Order for Financial Information on Reasonable Grounds to Suspect. With this, I can get a bank to disclose simply the existence and basic information (type, currency etc) of all accounts linked to a known name,
or I can provide an account number and get the account holder name. But if I want the records of transactions, copies of cheques or bank drafts, stuff like that- that's much more intrusive and I need the 487.014 General Production Order on the RG Believe threshold.
- I can get a 492.1 Tracking Warrant to put a tracking device on, say, a car or a suitcase on the
Reasonable Grounds to Suspect standard. But to get the same warrant for something likely ot be worn or carried by a person, like their phone or smart watch, I have to write to the much higher
Reasonable Grounds to Believe standard. With more intrusion on privacy comes a higher bar to hit.
The new proposed Production Order for Subscriber Information will be more akin to the Production Order for Financial Data that lets us confirm simply the identity and contact info of an account holder without getting transaction or other more sensitive contents. If we want more than just the basic subscriber info, we'll need to write to the higher threshold. In practical terms, this will let us more easily bridge the gap when we already have criminality but need to identify who is behind a particular user or service account.
2. What safeguards prevent these confirmation of service demands from becoming a routine fishing step before investigators have grounds for a production order?
Literally the point is to help us reach grounds for a production order. Right now, service providers will basicaly with a wink and a nod tells us 'yeah, we have a subscriber account for IP 123.45.67.89'. They generally expect us ot articulate at least some need for the info, but htere's no real legal safeguard at all.
The new Confirmation of Service Demand creates a formal legal framework. While it doesn't have to go through and be signed off by a judge or justice beforehand, we need to be prepared to show our work if challenged in court. It specifically requires that we have reasonable grounds to suspect an offence has been or will be committed, and that confirming the provision of service will assist in the investigation. And, the recipient of the demand has a right to apply to challenge it in court and isn't obligated to provide the result til that challenge is heard. So this formalizes all this and does add both some due process and some safeguards. Right now it's the wild west. The big service providers like the major telcos are quite predictable, but with other companies we might get more than we should, or they might ignore us entirely.
The point of a confirmation service is for us to them be able to say to the court in a production order application, "Bell Canada confirmed to us that they provide service to this account". A really great example of where this is important is when someone signs up for a cell phone with one company but then ports it over to another. Confirmation of service will let us get it right the first time so investigations aren't unduly delayed.
3. And the big one, which investigative problems are actually being solved here that couldn't already be addressed through existing production orders and warrants, albeit with more time and paperwork? Or is that the meat and potstos of it, just a short turn around time?
I hit on this somewhat. In some cases, like confirmation of service, right now we could get ghosted by a provider and struggle to get the necessary grounds at all. Or we may have reasonable suspicion, but not yet reasonable belief because someone has concealed their digital tracks pretty well, and that stymies us. And yes, the time spent and especially the additional layer of Production Orders to comply with
Bykovets is absolutely something that can introduce critical delay.
There's some other stuff in C-22; I'm on a computer now rather than my phone so it's easier... I mentioned tracking warrants - right now, say we have a tracker on a phone or a car and the person switches phones or cars, we're hooped and need to rewrite. C-22 will give us a 'resort to' clause that lets us swap tracking to a new but substantially similar object or device. This mirrors how we can already follow a person to a new phone line if they switch up and we have a wiretap, so that's not new. Very important for, e.g., organized crime who know to switch cars or devices frequently and unpredictably.
There are also provisions that formalize how data is treated in search and seizure. That's a huge gap in statute that's fille in by case law that's developed haphazardly and isn't consistent in every jurisdiction (looking at you, B.C.). It will clarify our search and seizure authorities to extract data from devices already in our possession, which happens a lot... It's more a housekeeping thing in that respect, but helpful.
Off the top of my head those are the big ones. There's some other stuff too, smaller to the best of my recollection, but I'm getting summoned by the wife so I'm gonna leave it at that for now.
